I'm writing a thriller, set in 2007, and have the scenario that one person in a government building wants to access (undetected) the email of another person in that building. They are both of a senior level, and the one who wants to read the email has access to some very clever hackers/IT specialists (but can't use the CIA/FBI because it's all very illegal). I don't want enough detail to do it, just whether it is feasible and, if so, with enough hints to make it sound plausible, e.g. would the hacker have to visit the building.

Sorry of I've chosen the wrong site or thread, but it is security and I am a newbie here...

January 4th, 2012, 08:28 PM

nihil

Hi and welcome to AO :)

Yes you have a security question, and I have seen several similar requests over the years where someone has seen something in a film or read it in a novel and wondered if it was feasible.

You say that they are both senior (presumably civil servants) and are in the same building. I would guess that means that they are on the same network and use the same mail server?

Quote:

e.g. would the hacker have to visit the building.

Well, they are both in it already, so what I guess you are asking is would it take physical access to the mail server and/or client computer? Or could it be done remotely?

The answer is almost certainly "yes". How would depend on the setup, and security (not noted in government establishments) in place.

can we have a bit more background?

January 4th, 2012, 08:59 PM

Sly80

Thank you for the quick and helpful reply, and for the welcome.

"and security (not noted in government establishments)" LOL

Yes, they are civil servants based in Washington. Essentially the story is about trying to find out if an ex-general (now a civil servant) can be trusted in the investigation of a corrupt army officer in Afghanistan, or whether he is actually involved. Because the other civil servant can't trust the CIA etc. in the circumstances (out-ranked) he is using a less-than-legal bunch of people to help him out. These are world-class criminals with a lot of resources to hand.

Is that enough background? I just need to be able to sketch out him asking for help and the bunch of criminals (he's worked with them before) delivering the solution.

January 5th, 2012, 12:35 AM

gore

You should really REALLY check out "The Cuckoo's Egg" by Cliff Stoll. It's a true story he wrote about that happened to him, and part of this, is in his book.

January 5th, 2012, 11:15 AM

Sly80

Thanks for the tip, Gore. I've downloaded a copy of the book

January 5th, 2012, 07:24 PM

nihil

Hi,

I will assume that this is a typical government or institutional scenario where all data (including e-mails) are held on shared, central servers, as opposed to locally on users' desktops. This is so that data are backed up properly, as users cannot be trusted.

There are three potential attack vectors IMO:

1. The mailserver itself.
2. The mailserver backups (frequently stored under far less security than the server room ;))
3. The e-mail account that is the target.

1 & 2 are where the FEDs would go, or criminals after ALL e-mails.

3. Is the Sara Palin (and dozens of others) scenario.

To access someone's live e-mail account you need:

1. Their UserID.
2. Their password.
3. Access to the mailserver their account is on.

In the scenario that you describe #1 is a nobrainer because his ID will be on the internal e-mail directory.

Similarly #3 should not be a problem as your protagonist should have the same access rights as the target.

That just leaves obtaining their password..............AND (presumably?) avoiding detection.

A lot would depend on the type of government department we are talking about here, and what their security policies happen to be.

A few more background questions:

1. Is this e-mail on a "secure" network or one you can surf the net with?
2. Are we talking about desktops or laptops?
3. Can authorised employees access their e-mail accounts remotely or must they be on site?

:)

January 5th, 2012, 07:53 PM

Sly80

Brilliant information, Nihil. Just the sort of thing I'm looking for. And, yes, he needs to avoid detection so I guess he can't just open the account (if he has the password) and look?

As for your 3 questions:

1) Probably one where they can surf, claiming the need to research, etc.
2) Could be either, but in 2007 I guess there is a tendency to use a laptop and take it everywhere - can do whatever is best - the joys of fiction.
3) I would say almost certainly the top brass will want to access their email from anywhere.